Hi List
Eventia Reporter:
I could see VPN-1 EDGE log on smartview tracker
But when I run report only select 'edge',
I couldn't see any result on report.
Edge: (firmware and libsw)6.0.63
Eventia Reporter :
OS : splat NGX_R60_03
On Sat, 3 Jun 2006 00:00:01 -0700, FW-1-MAILINGLIST automatic digest system
wrote
> There are 8 messages totalling 1030 lines in this issue.
>
> Topics of the day:
>
> 1. Fwd: Re: [FW-1] secure remote users cannot access target servers in VPN
> domain (2)
> 2. Do you have "/opt/CPEdgecmp" on NGX R60 HFA03? (was RE: [FW-1] SV: [FW-1]
> NGX R60 HFA03 SPLAT libsw directories)
> 3. Fwd: Re: [FW-1] secure remote users cannot access targ et servers in VPN
> domain (3)
> 4. HELP PLEASE !!!!! Running Nokia IPSO 3.9 and Checkpoi nt NGAI R55
> 5. merging multiple logs into one using software or tool
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> ----------------------------------------------------------------------
>
> Date: Fri, 2 Jun 2006 00:29:45 -0700
> From: Shiroma Dassanayake <nilshiro2000 AT YAHOO DOT COM>
> Subject: Fwd: Re: [FW-1] secure remote users cannot access target servers in
> VPN domain
>
> --0-251395107-1149233385=:18866
> Content-Type: text/plain; charset=iso-8859-1
> Content-Transfer-Encoding: 8bit
>
> Note: forwarded message attached.
>
> Dear all
>
> Thanks to all of you that replied. The Secure remote clients are not
> connecting though ADSL, so PPOE is not used. A few additional tests were
> conducted that is why theres been a delay in the reply.
>
> The secureremote client is installed on a machine that is part of the
> internal lan of a supplier. The secure remote client is assigned a
> "statically
> natd public IP" when it leaves the company gateway to access the internet.
>
> Conditions under which this secure remote client can access the target
> servers in our VPN domain:
>
> secure remote client machine connects to the ISP router directly (bypassing
> the company firewall)
>
> secure remote client machine connects to the internet through a dial up
> connection to an ISP.
>
> As soon as the secure remote client machine is placed in the company lan
> and
> is statically NAT'd to a public IP, it cannot access the target servers
> contained in the VPN domain behind our gateway. The client machine is able to
> download the site details but is not able to access the target servers.
>
> Is there a restriction in secureremote that prevents a secureremote client
> from accessing servers contained within a VPN if the connection originates
> from a public IP that has been statically NATd?
>
> Thanks and regards
> Shiroma
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
> --0-251395107-1149233385=:18866
> Content-Type: text/plain; charset=US-ASCII
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> Reply-To: Mailing list for discussion of Firewall-1
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> ------------------------------
>
> Date: Fri, 2 Jun 2006 09:34:33 -0300
> From: Paulo Zenari <p_zenari AT YAHOO.COM DOT BR>
> Subject: Re: Fwd: Re: [FW-1] secure remote users cannot access target servers
> in VPN domain
>
> Hi Shiroma,
>
> There was a thread about this on this mailing list a few days ago.
> Check a possible solution below.
>
> Regards,
>
> Paulo Zenari
> p_zenari AT yahoo.com DOT br
>
> > Hi Antonio,
> >
> > A possible answer to the third question:
> >
> > To achieve full SC connectivity, even behind the most esoteric NATing
> > devices, you may want to enable the following:
> >
> > - On the gateway object, *'Remote Access'* tab: check the *'Support
> > NAT traversal mechanism'* box;
> > - On the gateway object, *'Remote Access->Office Mode'* tab: *Enable
> > Office Mode* and configure it's options;
> > - On the Global Properties, *'Remote Access->VPN - Basic'* tab: Check
> > the *'Gateways support IKE over TCP'* box.
> >
> > The last item is particularly useful when establishing the VPN from
> > behind a Checkpoint FW1 or DSL router. IKE UDP packets are big, and
> > some routers appear to have problems in reassembling those packets.
> > Supporting IKE over TCP
> >
> > Some points to consider:
> >
> > - To support Office Mode, the VPN client must be installed as Secure
> > Client, even if you don't have a Policy Server;
> > - Secure Client must be configured to support all the three options
> > listed. It's wise to create a preconfigured package;
> > - The proposed setup allows VPN establishment even from rfc1918
> > networks with conflicting addresses. Example: VPN from a
> > 192.168.5.0/26 network, while your encryption domain contains a
> > sub/superset of this network, such as 192.168.0.0/16. The drawback is:
> > you won't be able to communicate with local conflicting addresses
> > while the VPN is established.
> > - Enabling those options on the gateway only adds functionality. Your
> > old VPN clients will still work.
> > - Your internal network must know that the IP range chosen as the
> > Office Mode pool must be routed back to your Checkpoint;
> > - The IP range chosen as the Office Mode pool *MUST NOT* appear in the
> > encryption domain. If your encryption domain is such a thing like
> > 10.0.0.0/8 and you want to use 10.40.1.0/24 as an Office Mode pool,
> > create a 'group with exclusion'.
> >
> > I hope this information is useful! :)
> >
> > Regards,
> >
> > --
> > Paulo Zenari
> > p_zenari AT yahoo.com DOT br
> >
> >
> > Antonio Costa wrote:
> > Hi all,
> >
> > Three questions about SecuRemote/Secure Client :
> >
> > - any have found or implemented a SC/SR tester application ?
> >
> > - sometime ago we had tested with GSM/GPRS companies in Brazil, USA
> > and
> > Europe and
> > with none of them we could stablish a SC connection. We also found a
> > RFC about problems
> > using IPSec clients in GSM/GPRS networks.
> >
> > Does anyone have done any test or have success story about it ?
> >
> > - how can i tell SC to stablish an encrypted connection to our gateway
> > even if the local IP
> > address belongs to an internal lan behind my firewall ?
> >
> > --
> > Antonio Costa
> > CCNA/CCSE/MCSE/LinuxAdmin
> > Sao Paulo / Brasil
>
> Shiroma Dassanayake wrote:
> > Note: forwarded message attached.
> >
> > Dear all
> >
> > Thanks to all of you that replied. The Secure remote clients are not
> > connecting
though ADSL, so PPOE is not used. A few additional tests were conducted that is
why
theres been a delay in the reply.
> >
> > The secureremote client is installed on a machine that is part of the
> > internal
lan of a supplier. The secure remote client is assigned a "statically natd
public IP"
when it leaves the company gateway to access the internet.
> >
> > Conditions under which this secure remote client can access the target
> > servers in
our VPN domain:
> >
> > secure remote client machine connects to the ISP router directly
> > (bypassing the
company firewall)
> >
> > secure remote client machine connects to the internet through a dial up
connection to an ISP.
> >
> > As soon as the secure remote client machine is placed in the company lan
> > and is
statically NAT'd to a public IP, it cannot access the target servers contained
in the
VPN domain behind our gateway. The client machine is able to download the site
details
but is not able to access the target servers.
> >
> > Is there a restriction in secureremote that prevents a secureremote
> > client from
accessing servers contained within a VPN if the connection originates from a
public IP
that has been statically NATd?
> >
> > Thanks and regards
> > Shiroma
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > fw-1-owner AT ts.checkpoint DOT com
> > =================================================
> > ------------------------------------------------------------------------
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > fw-1-owner AT ts.checkpoint DOT com
> > =================================================
> > ------------------------------------------------------------------------
> >
> > No virus found in this incoming message.
> > Checked by AVG Free Edition.
> > Version: 7.1.394 / Virus Database: 268.8.1/354 - Release Date: 1/6/2006
> >
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> ------------------------------
>
> Date: Fri, 2 Jun 2006 08:18:01 -0500
> From: Jim Johnson <jimpublic AT FRHS DOT ORG>
> Subject: Do you have "/opt/CPEdgecmp" on NGX R60 HFA03? (was RE: [FW-1] SV:
> [FW-1] NGX R60 HFA03 SPLAT libsw directories)
>
> So it appears that my entire "/opt/CPEdgecmp" directory has disappeared.
> Can anyone else running R60 HFA03 verify if they have this directory?
>
> # ls -l /opt
> total 44K
> lrwxrwxrwx 1 root root 28 Mar 29 14:41 CPDownloadedUpdates
> -> /var/opt/CPDownloadedUpdates
> drwxr-xr-x 2 root root 4.0K May 1 22:23 CPInstLog
> drwxrwx--- 3 root bin 4.0K Mar 29 14:43 CPinfo-10
> drwxrwx--- 3 root root 4.0K Mar 29 14:35 CPshared
> drwxrwx--- 8 root bin 4.0K May 1 22:24 CPshrd-R60
> drwxr-x--- 4 root bin 4.0K May 1 22:24 CPsuite-R60
> drwxr-x--- 5 root bin 4.0K May 1 22:18 SecurePlatform
> drwxr-xr-x 2 root root 16K Mar 29 14:30 lost+found
> drwx------ 9 root root 4.0K Mar 29 14:36 spwm
>
> > -----Original Message-----
> > From: Mailing list for discussion of Firewall-1
> > [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf
> > Of Torkel Mathisen
> > Sent: Friday, June 02, 2006 2:02 AM
> > To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> > Subject: [FW-1] SV: [FW-1] NGX R60 HFA03 SPLAT libsw directories
> >
> > Hi
> >
> > You should perhaps have libsw in /opt/CPEdgecmp/libsw also.
> >
> > Also, on R55 there was a libsw in the /opt/CPfwbc-41
> > directory, but thats gone on R60 I think.
> >
> > Regards,
> > Torkel
> >
> > -----Opprinnelig melding-----
> > Fra: Mailing list for discussion of Firewall-1
> > [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] [BIG5?]P堶egne
> > av Jim Johnson
> > Sendt: 1. juni 2006 20:44
> > Til: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> > Emne: [FW-1] NGX R60 HFA03 SPLAT libsw directories
> >
> > In expert mode on NGX R60 HFA03 SPLAT enforcement module if I run:
> > # find / -name libsw
> > /opt/CPsuite-R60/fw1/libsw
> >
> > You can see that only one directory is returned. Is this
> > normal? I thought
> > I had two libsw directories before, but I'm not sure if HFA03
> > deleted one of
> > them, or if another admin deleted it.
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > fw-1-owner AT ts.checkpoint DOT com
> > =================================================
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > fw-1-owner AT ts.checkpoint DOT com
> > =================================================
> >
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> ------------------------------
>
> Date: Fri, 2 Jun 2006 09:16:18 -0500
> From: "Addepalli, Anand" <aaddepalli1 AT COOKSYS DOT COM>
> Subject: Re: Fwd: Re: [FW-1] secure remote users cannot access targ et
> servers
> in VPN domain
>
> Shiroma
>
> There is no restriction in securemote that hinders accessing a VPN domain if
> statically Nated. I have the same kind of setup from a customer site and
> there are no problems. You just have to make sure that they have enabled VPN
> ports outbound to your network. Their firewall must be dropping IKE packets.
>
> Anand Addepalli.
>
> -----Original Message-----
> From: Shiroma Dassanayake [mailto:nilshiro2000 AT YAHOO DOT COM]
> Sent: Friday, June 02, 2006 2:30 AM
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: [FW-1] Fwd: Re: [FW-1] secure remote users cannot access target
> servers in VPN domain
>
> Note: forwarded message attached.
>
> Dear all
>
> Thanks to all of you that replied. The Secure remote clients are not
> connecting though ADSL, so PPOE is not used. A few additional tests were
> conducted that is why theres been a delay in the reply.
>
> The secureremote client is installed on a machine that is part of the
> internal lan of a supplier. The secure remote client is assigned a
> "statically natd public IP" when it leaves the company gateway to access the
> internet.
>
> Conditions under which this secure remote client can access the target
> servers in our VPN domain:
>
> secure remote client machine connects to the ISP router directly
> (bypassing the company firewall)
>
> secure remote client machine connects to the internet through a dial up
> connection to an ISP.
>
> As soon as the secure remote client machine is placed in the company lan
> and is statically NAT'd to a public IP, it cannot access the target servers
> contained in the VPN domain behind our gateway. The client machine is able
> to download the site details but is not able to access the target servers.
>
> Is there a restriction in secureremote that prevents a secureremote client
> from accessing servers contained within a VPN if the connection originates
> from a public IP that has been statically NATd?
>
> Thanks and regards
> Shiroma
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> ------------------------------
>
> Date: Fri, 2 Jun 2006 10:46:56 -0400
> From: "Concepcion, Juan" <jconcepcion AT CROSSBEAMSYS DOT COM>
> Subject: Re: Fwd: Re: [FW-1] secure remote users cannot access targ et
> servers
> in VPN domain
>
> Thing you have to ensure on client side, securemote, is that the
> firewall has a wide open ipsec rule:
>
> Rule 1
>
> Source: any
> Destination: Remote Firewall
> Service: ike/ipsec/esp/ah
>
> Rule 2
>
> Source: Remote Firewall
> Destination: Any
> Service: ike/ipsec/esp/ah
>
> I of course have let it set to any but of course you could ensure the
> client has a static dhcp address tied to it and replace the "any" with
> that ip.
>
> Juan
>
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of
> Addepalli, Anand
> Sent: Friday, June 02, 2006 10:16 AM
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: Re: [FW-1] Fwd: Re: [FW-1] secure remote users cannot access
> targ et servers in VPN domain
>
> Shiroma
>
> There is no restriction in securemote that hinders accessing a VPN
> domain if
> statically Nated. I have the same kind of setup from a customer site and
> there are no problems. You just have to make sure that they have enabled
> VPN
> ports outbound to your network. Their firewall must be dropping IKE
> packets.
>
> Anand Addepalli.
>
> -----Original Message-----
> From: Shiroma Dassanayake [mailto:nilshiro2000 AT YAHOO DOT COM]
> Sent: Friday, June 02, 2006 2:30 AM
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: [FW-1] Fwd: Re: [FW-1] secure remote users cannot access target
> servers in VPN domain
>
> Note: forwarded message attached.
>
> Dear all
>
> Thanks to all of you that replied. The Secure remote clients are not
> connecting though ADSL, so PPOE is not used. A few additional tests were
> conducted that is why theres been a delay in the reply.
>
> The secureremote client is installed on a machine that is part of the
> internal lan of a supplier. The secure remote client is assigned a
> "statically natd public IP" when it leaves the company gateway to access
> the
> internet.
>
> Conditions under which this secure remote client can access the target
> servers in our VPN domain:
>
> secure remote client machine connects to the ISP router directly
> (bypassing the company firewall)
>
> secure remote client machine connects to the internet through a dial
> up
> connection to an ISP.
>
> As soon as the secure remote client machine is placed in the company
> lan
> and is statically NAT'd to a public IP, it cannot access the target
> servers
> contained in the VPN domain behind our gateway. The client machine is
> able
> to download the site details but is not able to access the target
> servers.
>
> Is there a restriction in secureremote that prevents a secureremote
> client
> from accessing servers contained within a VPN if the connection
> originates
> from a public IP that has been statically NATd?
>
> Thanks and regards
> Shiroma
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> ------------------------------
>
> Date: Fri, 2 Jun 2006 12:32:44 -0500
> From: Lino Eduardo Avila Rodr璲uez <leavila AT SCITUM.COM DOT MX>
> Subject: Re: HELP PLEASE !!!!! Running Nokia IPSO 3.9 and Checkpoi nt NGAI
> R55
>
> Just a note. R55 can run on IPSO 3.9 without any problems. I got a customer
> with this configuration and they haven't had any issue.
>
> Regards,
>
> lino
>
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Peter
> Addy
> Sent: Jueves, 01 de Junio de 2006 05:12 p.m.
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: Re: [FW-1] HELP PLEASE !!!!! Running Nokia IPSO 3.9 and Checkpoint
> NGAI R55
>
> Hi
>
> Thanks for this, lesson learnt here, well hope so
>
> Going to install 3.8 and see how that goes
>
> cheers
>
> cisco4ng <cisco4ng AT YAHOO DOT COM> wrote:
> This is my 2c:
>
> 1) you should be running IPSO 3.7.1 build 024. It is a very stable ipso
> version. Is there a reason why you would want to run IPSO 3.8 or IPSO 3.9?
>
> 2) you should be running R55w with HFA_04 on IPSO3.7.1 build 24 for the
> reason that R55w is very close to NGx and it is also a very stable version
> as well.
> Furthermore, you can use the same NG FP3 license on NG AI R55w.
>
> Contact me offline if you need additional help. I am, by no mean, an expert
> with Nokia and IPSO but I am managing about 500 Nokia appliances here at
> work.
>
> cisco4ng
>
> Gary Scott wrote:
> I don't think IPSO 3.9 supports r55 only NGX. 3.8 you needed r55p.
>
> -GS
>
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Peter
> Addy
> Sent: Thursday, June 01, 2006 4:03 PM
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: [FW-1] HELP PLEASE !!!!! Running Nokia IPSO 3.9 and Checkpoint NGAI
> R55
>
> Hi
>
> Please help! ,this is a live environment without redundancy !
>
> Previous configuration Nokia IPSO 3.6 and Checkpoint FP3
>
> Upgraded to IPSO 3.9 and NGAI R55, HAF_17 performing "new install"
> running both on Nokia IP740
>
> Upgrade went fine on one device however when coming to failover this would
> not take effect, downed quite a few interfaces on primary to failover but no
> VRRP advertisements seen on Secondary ????
>
> "cpstop" on primary does not perform failover to secondary ??
>
> Also looking at the CPHA doing cphaprob stat this shows one active and one
> down on both modules.
>
> After disabling an interface on the primary the command "sh vrrp "
> just shows 1 less interface in master state ????
>
> Decided to upgrade primary to IPSO 3.6 and NGAI R55, thinking this would
> resolve the problem.
> Disabled VRRP preempt mode on both Nokias and tested failover, still not
> working and both devices went into backup, help !!!
>
> Managed to get the primary back to master by turning the "firewall monitor"
> off in the VRRP section in voyager, checked the Checkpoint policy and all
> seems ok, pushed policy ok, selecting cluster device as NGAI.
>
> current status primary as master and secondary as backup, failover not
> working and no idea why cpha shows one active and one down?
>
> VRRP all checked, is their fundamentally something wrong here, i'm i missing
> something !! has anyone come across this before?
>
> Your help is most appreciated
>
> Thanks
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> =================================================
> To set vacation, Out-Of-Office, or away messages, send an email to
> LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages, send an email to
> LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> ---------------------------------
> Yahoo! Messenger with Voice. PC-to-Phone calls for ridiculously low rates.
>
> =================================================
> To set vacation, Out-Of-Office, or away messages, send an email to
> LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> =================================================
> To set vacation, Out-Of-Office, or away messages, send an email to
> LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> ------------------------------
>
> Date: Fri, 2 Jun 2006 17:09:19 -0400
> From: Caballero Carlos <ccaballero AT BANCOMERCANTIL.COM DOT BO>
> Subject: Re: Fwd: Re: [FW-1] secure remote users cannot access targ et
> servers
> in VPN domain
>
> Shiroma,
>
> Have you solved your problem?
>
> Carlos Caballero
> Ingeniero de comunicaciones
> Banco Mercantil S.A.
> La Paz - Bolivia
> Telf: (591) 2 2409040 Ext.: 4441
>
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of
> Concepcion, Juan
> Sent: Viernes, 02 de Junio de 2006 10:47 a.m.
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: Re: [FW-1] Fwd: Re: [FW-1] secure remote users cannot access
> targ et servers in VPN domain
>
> Thing you have to ensure on client side, securemote, is that the
> firewall has a wide open ipsec rule:
>
> Rule 1
>
> Source: any
> Destination: Remote Firewall
> Service: ike/ipsec/esp/ah
>
> Rule 2
>
> Source: Remote Firewall
> Destination: Any
> Service: ike/ipsec/esp/ah
>
> I of course have let it set to any but of course you could ensure the
> client has a static dhcp address tied to it and replace the "any" with
> that ip.
>
> Juan
>
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of
> Addepalli, Anand
> Sent: Friday, June 02, 2006 10:16 AM
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: Re: [FW-1] Fwd: Re: [FW-1] secure remote users cannot access
> targ et servers in VPN domain
>
> Shiroma
>
> There is no restriction in securemote that hinders accessing a VPN
> domain if
> statically Nated. I have the same kind of setup from a customer site and
> there are no problems. You just have to make sure that they have enabled
> VPN
> ports outbound to your network. Their firewall must be dropping IKE
> packets.
>
> Anand Addepalli.
>
> -----Original Message-----
> From: Shiroma Dassanayake [mailto:nilshiro2000 AT YAHOO DOT COM]
> Sent: Friday, June 02, 2006 2:30 AM
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: [FW-1] Fwd: Re: [FW-1] secure remote users cannot access target
> servers in VPN domain
>
> Note: forwarded message attached.
>
> Dear all
>
> Thanks to all of you that replied. The Secure remote clients are not
> connecting though ADSL, so PPOE is not used. A few additional tests were
> conducted that is why theres been a delay in the reply.
>
> The secureremote client is installed on a machine that is part of the
> internal lan of a supplier. The secure remote client is assigned a
> "statically natd public IP" when it leaves the company gateway to access
> the
> internet.
>
> Conditions under which this secure remote client can access the target
> servers in our VPN domain:
>
> secure remote client machine connects to the ISP router directly
> (bypassing the company firewall)
>
> secure remote client machine connects to the internet through a dial
> up
> connection to an ISP.
>
> As soon as the secure remote client machine is placed in the company
> lan
> and is statically NAT'd to a public IP, it cannot access the target
> servers
> contained in the VPN domain behind our gateway. The client machine is
> able
> to download the site details but is not able to access the target
> servers.
>
> Is there a restriction in secureremote that prevents a secureremote
> client
> from accessing servers contained within a VPN if the connection
> originates
> from a public IP that has been statically NATd?
>
> Thanks and regards
> Shiroma
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> ------------------------------
>
> Date: Sat, 3 Jun 2006 10:22:35 +0800
> From: "Alex S." <alexals AT KKIPC DOT COM>
> Subject: merging multiple logs into one using software or tool
>
> Hi,
>
> Is there a software or tool which can merges a multiple log files into
> one? I have around hundreds of logs (with 5MB each) and wants it to
> merge into one.
>
> Thanks very much.
>
> Regards,
>
> Al
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> ------------------------------
>
> End of FW-1-MAILINGLIST Digest - 1 Jun 2006 to 2 Jun 2006 (#2006-148)
> *********************************************************************
--
Open WebMail Project (http://openwebmail.org)
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
